]>
Commit | Line | Data |
---|---|---|
9fd17760 ER |
1 | Adapted for PHP 5.4.16 from |
2 | ||
3 | From 56754a7f9eba0e4f559b6ca081d9f2a447b3f159 Mon Sep 17 00:00:00 2001 | |
4 | From: Stanislav Malyshev <stas@php.net> | |
5 | Date: Sun, 28 Sep 2014 14:19:31 -0700 | |
6 | Subject: [PATCH] Fixed bug #68044: Integer overflow in unserialize() (32-bits | |
7 | only) | |
8 | ||
9 | --- | |
10 | NEWS | 5 ++++- | |
11 | ext/standard/tests/serialize/bug68044.phpt | 12 ++++++++++++ | |
12 | ext/standard/var_unserializer.c | 4 ++-- | |
13 | ext/standard/var_unserializer.re | 2 +- | |
14 | 4 files changed, 19 insertions(+), 4 deletions(-) | |
15 | create mode 100644 ext/standard/tests/serialize/bug68044.phpt | |
16 | ||
17 | diff --git a/ext/standard/tests/serialize/bug68044.phpt b/ext/standard/tests/serialize/bug68044.phpt | |
18 | new file mode 100644 | |
19 | index 0000000..031e44e | |
20 | --- /dev/null | |
21 | +++ b/ext/standard/tests/serialize/bug68044.phpt | |
22 | @@ -0,0 +1,12 @@ | |
23 | +--TEST-- | |
24 | +Bug #68044 Integer overflow in unserialize() (32-bits only) | |
25 | +--FILE-- | |
26 | +<?php | |
27 | + echo unserialize('C:3:"XYZ":18446744075857035259:{}'); | |
28 | +?> | |
29 | +===DONE== | |
30 | +--EXPECTF-- | |
31 | +Warning: Insufficient data for unserializing - %d required, 1 present in %s/bug68044.php on line 2 | |
32 | + | |
33 | +Notice: unserialize(): Error at offset 32 of 33 bytes in %s/bug68044.php on line 2 | |
34 | +===DONE== | |
35 | diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c | |
36 | index 657051f..8129da3 100644 | |
37 | --- a/ext/standard/var_unserializer.c | |
38 | +++ b/ext/standard/var_unserializer.c | |
39 | @@ -326,7 +326,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) | |
40 | ||
41 | (*p) += 2; | |
42 | ||
43 | - if (datalen < 0 || (*p) + datalen >= max) { | |
44 | + if (datalen < 0 || (max - (*p)) <= datalen) { | |
45 | zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); | |
46 | return 0; | |
47 | } | |
48 | diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re | |
49 | index 1307508..6de1583 100644 | |
50 | --- a/ext/standard/var_unserializer.re | |
51 | +++ b/ext/standard/var_unserializer.re | |
52 | @@ -332,7 +332,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce) | |
53 | ||
54 | (*p) += 2; | |
55 | ||
56 | - if (datalen < 0 || (*p) + datalen >= max) { | |
57 | + if (datalen < 0 || (max - (*p)) <= datalen) { | |
58 | zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p))); | |
59 | return 0; | |
60 | } | |
61 | -- | |
62 | 2.1.0 | |
63 |